Thursday, January 04, 2007

Disclosure ethics apply to BOTH parties

This article discusses whether the Month of Apple Bugs is responsible disclosure:

Humorously, they quote eEye as supporting ethics even though they have long been famous for their lack of ethics.

Attempts at ethics usually go badly. Dave Maynor discovered numerous critical vulnerabilities in everybody's Wi-Fi stacks. He notified vendors, and when doing his Blackhat talk about the subject, bent over backwards to hide details that would help hackers. To his credit, a lot of these bugs have been fixed without hackers taking advantage of them. However, Apple successfully exploited the lack of details to attack his credibility in order to cover their own asses. In other words, his attempts at ethics backfired.

Ethical handling of a vulnerability is a two-way street, requiring good behavior on both the researcher and the vulnerable vendor. Apple is not an ethical company - it's not just the Blackhat incident, but a track record going back several years. We've got more Apple bugs in the works. We are going to release them directly to the community (with maybe a pre-release to Landon Fuller) without giving Apple's PR machine enough time to attack us.

If Apple wants the research community to treat them better, they will have to treat researchers better. I suggest a good first step is that they draft a "Responsible Disclosee" policy on their website that discloses exactly how they will handle notifications (such as pass them to their engineers to fix rather than to their PR team to cover up) and which promises that they WON'T threaten, sue, buy off, character assassinate, or otherwise intimidate the researcher.

4 comments:

Why doesn't Maynor just come out with what happened with Apple and the wireless driver thing (or did I miss it -- sorry if I did)?

Apple came out with their story and the patches have been released. I understand NDAs, but certainly releasing what happened when and how it was disclosed can be discussed. I mean, Apple did (via George Ou and the patch notes) and pretty much called Maynor and Cache er, not so smart. Were their (Apple's) released statements lies? Or were they wordsmithing? Or was is accurate on how the disclosure happened (i.e. no info about Apple products were given to them)?

Your post implies that ethics are only relevant/useful/functional/important when others are also ethical.

Is that really where you want to stake your claim, given that your business is cybersecurity?

If I do something you don't like and am your client, your post would make me nervous. And not 'nervous' because I was necessarily being unethical, but rather because *your* ethics and actions would seem dependent on *your* interpretation of *my* choices. You give yourself the role of arbiter of my ethics, and the right to absolve yourself of ethical responsiblity at your discretion. This raises all kinds of red flags.

It seems to me to make more sense to stand by a set of clear ethics, rather than make them contigent upon the actions others. If you're going to have tit-for-tat, game-theory-inspired deviations, you need to put them out there in advance. Otherwise, your ethics seem like mere conveniences, devoid of any real intent or meaning.

Blanket statements like "Attempts at ethics usually go badly" are little jarring, too.

It is a fair question. It’s not that ethics aren’t relevant/useful/functional/important; it’s that without both parties being ethical one party runs the risk of being dragged through the mud. Rob is not suggesting that just because someone treats you badly it’s suddenly OK to treat them badly. What he is saying is that so much of the disclosure argument rests on what the researcher should do with little or no discussion of what companies should do.

Think of disclosure ethics like traffic laws: they work because everyone is supposed to obey them. But in situations where people decide they are above the law and start doing things like running red lights or speeding or driving while intoxicated they put not only themselves at risk but everyone else on the road. This doesn’t mean you should stop following traffic laws, it just means you should drive defensively.

It is the same with vendor notifications. After a vendor does to a researcher what was done to Jon and me you should never put yourself in that position again. This doesn’t mean that suddenly disclosure ethics need not apply; it just means we will not risk the exposure of having any kind of communications with Apple. We can have third party people do the coordination and what not, but we will not report anything directly to Apple again.